On 11/03/12 16:18, Steve Chapel wrote:
> I will need to write an HTTPS proxy, which will examine the certificates
> sent from the web server and determine whether the certificate is valid
> or invalid. If the proxy determines if the certificate is valid, I will
> need to resign the document. I suppose this will require that the proxy
> be a certificate authority and will generate certificates for websites,
> which the proxy will then use to sign the documents. Will this be
> something that twisted can do easily? If so, where can I find
> documentation for how to do this?
This is a pretty hard question to answer in this form, and depends on
what you mean by "easily". Since you say it's classwork I'm reluctant to
say too much, but...
Fundamentally, the only "difficult" bit of this project in terms of
Twisted capabilities is finding the original destination address of your
intercepted connections (so that you can do a "lookaside" connection and
verify / impersonate the far-end cert)
Presumably you'll be using something like Linux/IPTables to do this:
iptables t nat -A PREROUTING \
-p tcp --dport 443 -j REDIRECT --to-port <twisted>
In that case, you can find the original destination address by calling:
socket.getsockopt(self.transport.fileno(), SOL_IP, SO_ORIGINAL_DST, 16)
...in your transport "connectionMade". You will presumably then want to
start up an SSL connection to the original IP (or draw from cache) to
find the far-end cert attributes (note: plural), call out to your local
MITM CA for an impersonated cert/key, then call startTLS in server mode
using a context holding the fake cert/key.
This isn't very hard, and Twisted has everything you need (accept TCP
connections, make outgoing SSL, find server certs, call out to
subprocess, startTLS in server mode) except the SO_ORIGINAL_DST stuff
(which is easy to add in).
Anyway, I hope this helps; good luck with the assignment!
Cheers,
Phil